T1592.004 Microsoft Sentinel · KQL

Detect Client Configurations in Microsoft Sentinel

Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (32 or 64 bit), language, and/or time zone. Adversaries gather this information via active scanning (listening ports, server banners, user agent strings), phishing for information, or by compromising sites to deploy malicious JavaScript frameworks such as ScanBox that collect host information from visitors. HAFNIUM has used this technique to interact with Office 365 tenants to gather details about target environments. Collected client configuration data enables adversaries to select targeted exploits, craft convincing phishing lures, identify vulnerable software versions, and tailor payloads to victim architectures.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1592 Gather Victim Host Information
Sub-technique
T1592.004 Client Configurations
Canonical reference
https://attack.mitre.org/techniques/T1592/004/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let ScanBoxCollectionPaths = dynamic([
  "/fp.php", "/gate.php", "/collect.php", "/plugin.php",
  "/log.php", "/track.php", "/config.php", "/init.php",
  "/js.php", "/stat.php"
]);
let KnownAnalyticsDomains = dynamic([
  "google-analytics.com", "analytics.google.com", "mixpanel.com",
  "amplitude.com", "segment.io", "segment.com",
  "hotjar.com", "fullstory.com", "newrelic.com", "dynatrace.com"
]);
// Branch 1: ScanBox-style JavaScript fingerprinting POST exfiltration via proxy/firewall
let ScanBoxExfil = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestMethod == "POST"
| where RequestURL has_any (ScanBoxCollectionPaths)
| where not (DestinationHostName has_any (KnownAnalyticsDomains))
| where not (DestinationHostName endswith ".internal"
          or DestinationHostName endswith ".corp"
          or DestinationHostName endswith ".local")
| extend DetectionBranch = "ScanBox_POST_Exfiltration"
| extend RiskScore = case(
    RequestURL has_any ("/fp.php", "/gate.php", "/collect.php"), 3,
    RequestURL has_any ("/plugin.php", "/log.php", "/track.php"), 2,
    1
  )
| project TimeGenerated, SourceIP, SourceUserName, DestinationHostName,
          RequestURL, RequestMethod, DeviceAction, DetectionBranch, RiskScore;
// Branch 2: Office 365 tenant configuration enumeration via non-browser clients (HAFNIUM pattern)
let O365TenantEnum = SigninLogs
| where TimeGenerated > ago(24h)
| where AppDisplayName has_any ("Office 365", "Microsoft Office 365",
    "Office 365 Management APIs", "Azure Active Directory",
    "Microsoft Graph", "Azure Active Directory Graph")
| extend UserAgentLower = tolower(UserAgent)
| extend IsAutomatedClient = UserAgent has_any (
    "python", "curl/", "Go-http-client", "libwww-perl",
    "Invoke-WebRequest", "powershell", "okhttp", "axios",
    "java/", "Apache-HttpClient", "HttpClient", "requests/"
  )
| where IsAutomatedClient == true
| extend DetectionBranch = "O365_Tenant_Config_Enum"
| extend RiskScore = case(
    RiskLevelDuringSignIn in ("high"), 3,
    RiskLevelDuringSignIn in ("medium"), 2,
    UserAgent has_any ("python", "curl/", "Go-http-client"), 2,
    1
  )
| extend GeoCountry = tostring(LocationDetails.countryOrRegion)
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName,
          UserAgent, ResultType, RiskLevelDuringSignIn,
          GeoCountry, DetectionBranch, RiskScore;
union ScanBoxExfil, O365TenantEnum
| sort by RiskScore desc, TimeGenerated desc
medium severity low confidence

Detects client configuration fingerprinting via two branches: (1) ScanBox-style JavaScript framework POST exfiltration through proxy/firewall CommonSecurityLog — identifies POST requests to characteristic collection endpoint URI paths (/fp.php, /gate.php, /collect.php) on non-analytics external domains, as deployed in watering hole attacks documented in the ATT&CK ScanBox reference; (2) Office 365 tenant enumeration matching the HAFNIUM pattern — identifies automated (non-browser) HTTP client access to O365 and Azure AD APIs using scripting tool user agents (Python, curl, Go, PowerShell) to profile tenant client configurations. Risk scoring prioritizes high-fidelity collection endpoint matches and scripted access.

Data Sources

Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic FlowApplication Log: Application Log ContentMicrosoft Azure Active Directory: Logon Session

Required Tables

CommonSecurityLogSigninLogs

False Positives & Tuning

  • Web analytics platforms (Google Analytics, Mixpanel, Amplitude) use POST requests to similar collection endpoint paths for behavioral telemetry — allowlist known analytics vendor domains in the ScanBoxCollectionPaths branch
  • Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) simulate watering hole fingerprinting for phishing simulation campaigns and will generate matching proxy log events
  • Internal application performance monitoring tools (Dynatrace RUM, New Relic Browser) collect client configuration data via JavaScript agents that POST to similarly named endpoints
  • Legitimate service principal integrations with Office 365 using automated credentials (Python SDKs, Azure CLI, MSAL libraries) will trigger the O365 tenant enumeration branch — filter by registered application client IDs if known
Download portable Sigma rule (.yml)

Other platforms for T1592.004

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Browser Client Configuration Fingerprinting Simulation

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-WebRequest', 'POST', and '/collect.php'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8888 (connection fails — no listener). PowerShell ScriptBlock Log Event ID 4104 showing the fingerprint assembly and POST attempt. If traffic routed through proxy: CommonSecurityLog entry showing POST to /collect.php with 127.0.0.1 destination.

  2. Test 2Office 365 Tenant Configuration Enumeration via OpenID Connect Discovery

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-WebRequest' and 'openid-configuration'. Sysmon Event ID 3: Outbound HTTPS connection to login.microsoftonline.com:443. Sysmon Event ID 22: DNS query for login.microsoftonline.com. PowerShell ScriptBlock Log Event ID 4104. Proxy logs: HTTPS CONNECT to login.microsoftonline.com with Windows PowerShell user agent string.

  3. Test 3WMI System Configuration Collection Matching ScanBox Target Data

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with WMI-related command line. Sysmon Event ID 11: File Create for t1592004_config.json in %TEMP%. WMI activity in Microsoft-Windows-WMI-Activity/Operational (Event IDs 5857, 5858) for Win32_OperatingSystem, Win32_Processor, Win32_TimeZone, and Win32_ComputerSystem queries. Windows Security Event ID 4688 (with command line auditing) showing powershell.exe execution.

  4. Test 4HTTP User-Agent Client Configuration Passive Collection (Linux)

    Expected signal: Linux audit logs (auditd): execve syscalls for python3 and curl. Syslog: process creation for python3 HTTP listener. If Sysmon for Linux is deployed: Event ID 3 (Network Connection) for TCP bind on port 18889 and the curl connection. The collected output shows User-Agent encoding 'Windows NT 10.0; Win64; x64' — OS type, version, and architecture in a single header.

  5. Test 5Azure AD Tenant Client Configuration Enumeration via Scripted User Agent

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'System.Net.Http', 'HttpClient', and 'python-requests'. Sysmon Event ID 3: Outbound HTTPS connection to login.microsoftonline.com:443 with initiating process powershell.exe. Sysmon Event ID 22: DNS query for login.microsoftonline.com. PowerShell ScriptBlock Log Event ID 4104. Proxy logs: HTTPS request to login.microsoftonline.com with User-Agent 'python-requests/2.31.0' from a Windows host — anomalous cross-platform user-agent spoofing.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1592.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1592Gather Victim Host Information

Related Sub-techniques

T1592.001HardwareT1592.002SoftwareT1592.003Firmware

Related Techniques

T1592Gather Victim Host InformationT1592.001HardwareT1592.002SoftwareT1592.003FirmwareT1595Active ScanningT1595.002Vulnerability ScanningT1598Phishing for InformationT1189Drive-by CompromiseT1566PhishingT1195Supply Chain Compromise

Same Tactic: Reconnaissance

Popular Detections